Industry competent authorities should continue to carry out special governance on the collection and use of personal information in violation of laws and regulations, and give full play to the role of the "gatekeeper" of the head platform, which shall perform its duties to supervise the apps in the app market and the mini-programs on the platform, and regulate the relevant apps, mini-programs, etc. Program's Personal Information Collection Practices.
Shan Yong, Professor, School of Law, Nanjing University
Turn on the phone, check news information, share experiences, search for food, buy items... Xiaoyu, a teacher from a university in Nanjing, spends a lot of time on his phone every day, and there are more than 150 built-in and installed apps on his phone.
She found that every time she registered for an account or installed software, the "User Agreement and Privacy Policy" would pop up on the screen, but she dragged it directly to the bottom and clicked "I have read and agreed to the User Agreement".
She told reporters that those agreements were too long and professional, and it was almost impossible to read them carefully and understand the content of the agreements.
Xiaoyu is not an exception. A recent survey showed that less than 40% of users actually read these agreements before clicking to agree.
It stands to reason that the user agreement is a legal document that stipulates the rights and obligations between app developers and users. It plays an important role in protecting user privacy and other rights. Why do 60% of users ignore it?
Are all permissions obtained by the App necessary after clicking Agree?
Is there an "excessive claim to power" situation?
What else do we need to do to guide apps to call privacy data to form industry norms?
Too long agreement will hinder users' right to know
In the era of mobile Internet, apps have become an essential tool for people.
When you download and use it for the first time, clicking "I have read and agree to the User Agreement and Privacy Policy" also becomes a routine operation.
For our common apps, what aspects of the user agreement and privacy policy usually include?
Professor Shan Yong from the Law School of Nanjing University told Science and Technology Daily that the user agreement of conventional platforms generally includes "the scope of information collection, information storage and protection methods, information use methods, notices involving information sharing, and notices involving information processing" and so on.
Once the user clicks to agree, it means to transfer some of their rights to the operating company of the App, such as calling the mobile phone address book, reading the mobile phone storage, obtaining positioning information, turning on Bluetooth or wireless network, etc.
Shan Yong said that according to the "Personal Information Protection Law", the personal information processing behavior based on the user's consent only has the right to process personal information for specific purposes, and to check and balance the information processing behavior, the user is legally entitled to informed consent, restricted refusal, access, etc. The right to copy, modify, delete, withdraw consent, etc.
However, user agreements are often tens of thousands or even tens of thousands of words, filled with a lot of professional and obscure content.
According to statistics, the five mobile apps that have been downloaded over 100 million times have an average of about 27,000 words of agreement content that requires users to "read and agree".
From a judicial point of view, the more detailed the agreement, the clearer the rights and responsibilities of both parties, because it is a full notification and can avoid disputes afterwards to the greatest extent.
However, from the point of view of practical use, an agreement of 10,000 characters will hinder consumers' right to know.
Because most users are impatient and have no professional knowledge to read and understand the agreement, checking the agreement in such a case will make the user confused about which rights have been transferred.
"What information the app needs my consent to obtain, what rights do I have, and what responsibilities I have to take on, can make a list." Xiaoyu hopes that the user agreement should be "long story short", and the important parts that are closely related to users will be placed in front highlighted.
The ultimate goal of "excessive power" may be profit
"Your friends are also using an app", "TA has 3 mutual friends with you", "matching your address book can help you find friends faster"... Such tips are not unfamiliar to many mobile phone users.
The rise of the mobile Internet has driven the development of new social platforms. Apps such as short videos, shopping, fitness, and news were basically not related to social networking in the past, but now they are all endowed with social attributes.
"There is a 'small world theory' in the field of mathematics, that is, any two people in the world can establish a connection through six intermediaries." Professor Ren Yongjun, a network security expert at Nanjing University of Information Technology, said that after the user clicks to agree, the App will retrieve the address book by calling , and perform data matching in the background, it will recommend you to people you don't know, and tell them that you and TA have mutual friends.
In the past, it was not easy to prove the "small world theory", but now it can be easily realized. While we are lamenting "the world is really small", should we be wary of the "excessive claim to power" of the app?
Professor Shan Yong introduced that in March 2021, four national ministries and commissions issued the "Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (Apps)", in which Article 5 clarified the necessary personal information of 39 common types of apps in the form of enumeration. scope, and the address book permission is not part of the necessary scope.
In December 2021, the National Computer Network Emergency Technology Handling Coordination Center and the China Cyberspace Security Association released the "Monitoring and Analysis Report on the Illegal Collection and Use of Personal Information by Apps", stating that the latest versions of head applications such as "WeChat" and "51Job" have been launched. None of them ask for irrelevant permissions such as storage and equipment, but the problem of "excessive demand for power" in small and medium-sized applications is still very serious. Only the monitoring from September to December 2021 shows that new applications in mainstream application stores such as Huawei, Xiaomi, and Tencent App Store are on the shelves. , an average of nearly 1,000 apps with this problem are launched every month.
For commercial purposes such as accurate user portraits, promotion and marketing, some apps try to collect more personal information beyond the scope necessary to achieve functions.
For example, the phone interception function of an application requires 7 sensitive permissions such as text messages, storage, and contacts; a sports and fitness application obtains location information nearly 100 times per minute when users use unrelated functions such as watching videos; Location information is collected when sharing location, and location information is also collected in unrelated functions such as scan code payment for analysis of user consumption behavior portraits.
There are still many apps that ask for multiple unrelated permissions in a pop-up window when they are first launched, even though they no longer force the collection of information.
"After the app obtains these permissions, it seems to help the user expand the circle of friends and life, but the user's private information is also invisibly exposed. The fundamental reason for the app to ask for these permissions is that the company wants to expand the market or promote it. For profit." Ren Yongjun thought.
In 2021, the Cyberspace Administration of China will focus on rectifying the "seven categories" of out-of-scope collection behaviors, and a large number of violations of laws and regulations, including out-of-scope collection of user address books, precise geographic locations, text messages, and call records, will be rectified.
Protecting privacy requires a special "gatekeeper"
Recently, the National Computer Virus Emergency Response Center found through Internet monitoring that 17 mobile apps had privacy violations and were suspected of collecting personal privacy information beyond the scope.
Notifications like this are not uncommon.
In 2021 alone, the Cyberspace Administration of China will publicly notify 351 apps with serious violations of laws and regulations, and order them to rectify within a time limit.
However, the problem of App sensitive data collection is still prominent.
The Cyberspace Administration of China found that 60.7% of apps collected unique device identification information such as Android ID, 55.4% collected app list information, and 13.7% collected clipboard information, which can be used for portraits. , personalized push and other services.
"Personal information is an important data asset. Some apps, especially utility apps, have a huge user base. Criminals and cyber hackers have long been eyeing this sensitive information, forming a black industry chain. The sale of information will cause serious security problems at multiple levels." Professor Ren Yongjun said, for example, there are more than one million user information on the user travel app or takeaway app. Once leaked, it may not only affect the individual itself, but even affect the endanger national security.
Ren Yongjun said that for users, they cannot give up reading because the agreement is too long.
It should not open and agree to unnecessary privacy permissions at will, not enter personal privacy information at will, maintain and clean up relevant data on a regular basis, and avoid personal privacy information from being leaked.
So, for the supervision and management department, how to restrict the long-winded user agreement and implement the protection of user privacy?
Currently, relevant agencies are drafting the "Requirements for Privacy Agreements of Information Security Technology Internet Platforms and Products and Services", which can provide guidelines for platform companies to comply with user agreements and privacy policies.
Compared with the formulation of relevant industry norms, how to implement the norms is more worthy of attention.
Professor Shan Yong believes that there are three main reasons why the illegal collection of user information by apps cannot be rooted out: first, the management resources of the industry authorities are limited, and it is difficult to regulate the information collection behavior of all apps only by relying on industry supervision; second, the existence of some small and medium-sized enterprises By chance, they try to obtain higher economic benefits through violations; thirdly, although relevant laws such as the Personal Information Protection Law grant users data rights, the implementation of user rights in practice is not clear, and it is difficult for users when their rights are violated. effective rights.
"Industry competent authorities should continue to carry out special governance on the collection and use of personal information in violation of laws and regulations, and give full play to the role of the 'gatekeeper' of the head platform, which shall fulfill its obligations to supervise the apps in the app market and the mini-programs on the platform, regulate relevant apps, The personal information collection behavior of small programs.” Shan Yong also suggested that the reporting channels and transparency reporting mechanisms for personal information protection should be improved to maintain users’ right to know and supervise industry governance.
◎Reporter Zhang Ye